PatchSiren cyber security CVE debrief
CVE-2026-45367 hapifhir CVE debrief
CVE-2026-45367 is a denial of service vulnerability in HAPI FHIR prior to 6.9.7. The FHIRPathEngine implementation passes user-controlled regular expressions to Java regex operations without effective timeouts, allowing catastrophic backtracking and denial of service. This issue is fixed in version 6.9.7. Users should review their current version and update as necessary.
- Vendor
- hapifhir
- Product
- org.hl7.fhir.core
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Users of HAPI FHIR prior to version 6.9.7 should update to the latest version to prevent denial of service attacks. This includes developers and administrators who use HAPI FHIR in their applications, as well as security teams who monitor for potential vulnerabilities.
Technical summary
The FHIRPathEngine implementation in HAPI FHIR prior to 6.9.7 passes user-controlled regular expressions from matches(), matchesFull(), and replaceMatches() to Java regex operations without effective timeouts. This allows for catastrophic backtracking and denial of service attacks. The issue is fixed in version 6.9.7. Review and validate user-controlled input to FHIRPathEngine to prevent potential attacks.
Defensive priority
High
Recommended defensive actions
- Update to HAPI FHIR version 6.9.7 or later
- Review and validate user-controlled input to FHIRPathEngine
- Implement effective timeouts for Java regex operations
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-16T17:16:56.293Z and has not been modified since then. The NVD entry is currently Awaiting Analysis. There is no additional information available about the vulnerability beyond what is provided in the CVE record and NVD entry.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T17:16:56.293Z and has not been modified since then.